diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-10-29 15:57:31 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-10-29 15:57:31 -0400 |
| commit | c4b6b573880ba3f4806fed09e20ff384b556e277 (patch) | |
| tree | 0a99f786ae4a1895f5d65e3c7c50c4d70f1ce1f0 | |
| parent | b063ca0604d6cc99adf1009818c10ee14d006aab (diff) | |
| parent | 8013e3e8b6af4170f622765a0fb1a219131028bd (diff) | |
| download | tor-c4b6b573880ba3f4806fed09e20ff384b556e277.tar.gz tor-c4b6b573880ba3f4806fed09e20ff384b556e277.zip | |
Merge branch 'maint-0.3.3' into maint-0.3.4
| -rw-r--r-- | changes/bug28202 | 4 | ||||
| -rw-r--r-- | src/or/parsecommon.c | 3 | ||||
| -rw-r--r-- | src/or/routerparse.c | 7 |
3 files changed, 8 insertions, 6 deletions
diff --git a/changes/bug28202 b/changes/bug28202 new file mode 100644 index 0000000000..182daac4f1 --- /dev/null +++ b/changes/bug28202 @@ -0,0 +1,4 @@ + o Minor bugfixes (C correctness): + - Avoid undefined behavior in an end-of-string check when parsing the + BEGIN line in a directory object. Fixes bug 28202; bugfix on + 0.2.0.3-alpha. diff --git a/src/or/parsecommon.c b/src/or/parsecommon.c index 9bd00e17ce..cd1a0c2521 100644 --- a/src/or/parsecommon.c +++ b/src/or/parsecommon.c @@ -345,7 +345,7 @@ get_next_token(memarea_t *area, goto check_object; obstart = *s; /* Set obstart to start of object spec */ - if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ + if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */ strcmp_len(eol-5, "-----", 5) || /* nuls or invalid endings */ (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) { /* name too long */ RET_ERR("Malformed object: bad begin line"); @@ -448,4 +448,3 @@ find_all_by_keyword(const smartlist_t *s, directory_keyword k) }); return out; } - diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 7af41c3baf..e82ecec5b7 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4602,13 +4602,13 @@ find_start_of_next_microdesc(const char *s, const char *eos) return NULL; #define CHECK_LENGTH() STMT_BEGIN \ - if (s+32 > eos) \ + if (eos - s < 32) \ return NULL; \ STMT_END #define NEXT_LINE() STMT_BEGIN \ s = memchr(s, '\n', eos-s); \ - if (!s || s+1 >= eos) \ + if (!s || eos - s <= 1) \ return NULL; \ s++; \ STMT_END @@ -4632,7 +4632,7 @@ find_start_of_next_microdesc(const char *s, const char *eos) /* Okay, now we're pointed at the first line of the microdescriptor which is not an annotation or onion-key. The next line that _is_ an annotation or onion-key is the start of the next microdescriptor. */ - while (s+32 < eos) { + while (eos - s > 32) { if (*s == '@' || !strcmpstart(s, "onion-key")) return s; NEXT_LINE(); @@ -5667,4 +5667,3 @@ routerparse_free_all(void) { dump_desc_fifo_cleanup(); } - |